From 53e5ef6b4e2b4f9e8fd797773f4eabf7701158da Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 3 Mar 2021 18:08:22 -0500 Subject: [PATCH] Always backup both certs and kubeconfig There are no reasons not to backup during upgrade Signed-off-by: Etienne Champetier --- .../control-plane/tasks/kubeadm-backup.yml | 28 +++++++++++++++++++ .../tasks/kubeadm-certificate.yml | 15 ---------- .../control-plane/tasks/kubeadm-setup.yml | 11 ++++---- 3 files changed, 33 insertions(+), 21 deletions(-) create mode 100644 roles/kubernetes/control-plane/tasks/kubeadm-backup.yml delete mode 100644 roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml new file mode 100644 index 00000000000..1e1dda97fb3 --- /dev/null +++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml @@ -0,0 +1,28 @@ +--- +- name: Backup old certs and keys + copy: + src: "{{ kube_cert_dir }}/{{ item }}" + dest: "{{ kube_cert_dir }}/{{ item }}.old" + mode: preserve + remote_src: yes + with_items: + - apiserver.crt + - apiserver.key + - apiserver-kubelet-client.crt + - apiserver-kubelet-client.key + - front-proxy-client.crt + - front-proxy-client.key + ignore_errors: yes + +- name: Backup old confs + copy: + src: "{{ kube_config_dir }}/{{ item }}" + dest: "{{ kube_config_dir }}/{{ item }}.old" + mode: preserve + remote_src: yes + with_items: + - admin.conf + - controller-manager.conf + - kubelet.conf + - scheduler.conf + ignore_errors: yes diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml b/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml deleted file mode 100644 index 03ebe25365c..00000000000 --- a/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Backup old certs and keys - copy: - src: "{{ kube_cert_dir }}/{{ item.src }}" - dest: "{{ kube_cert_dir }}/{{ item.dest }}" - mode: 0640 - remote_src: yes - with_items: - - {src: apiserver.crt, dest: apiserver.crt.old} - - {src: apiserver.key, dest: apiserver.key.old} - - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old} - - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old} - - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old} - - {src: front-proxy-client.key, dest: front-proxy-client.key.old} - ignore_errors: yes diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 55dbac6953b..0802c616a09 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -18,6 +18,11 @@ get_mime: no register: kubeadm_already_run +- name: kubeadm | Backup kubeadm certs / kubeconfig + import_tasks: kubeadm-backup.yml + when: + - kubeadm_already_run.stat.exists + - name: kubeadm | aggregate all SANs set_fact: apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}" @@ -68,12 +73,6 @@ - name: kubeadm | set kubeadm version import_tasks: kubeadm-version.yml -- name: kubeadm | Certificate management with kubeadm - import_tasks: kubeadm-certificate.yml - when: - - not upgrade_cluster_setup - - kubeadm_already_run.stat.exists - - name: kubeadm | Check if apiserver.crt contains all needed SANs command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}" with_items: "{{ apiserver_sans }}"